1. Field of the Invention
The invention disclosed and claimed herein generally pertains to a system and method for determining or generating one or more roles, for use in a data processing system that employs role based access control (RBAC) for security. More particularly, the invention pertains to a system and method of the above type, wherein roles are determined by mining different types of information resources.
2. Description of the Related Art
In a computer or data processing system, RBAC is commonly used to enhance security by specifying the extent to which different users are authorized to access the system. In a business or other organization, RBAC provides a number of roles, wherein each role typically corresponds to a function of the organization. Each of the roles has a set of users who perform the function, and also has a set of permissions that are needed for function performance. As is known by those of skill in the art, and as also used herein, the term “permission” is defined to mean approval of a mode of access to a specified system resource, wherein the approval is granted to a system user. Each user admitted to a particular role is granted each of the permissions in the permission set of such role. Thus, RBAC can provide an orderly mechanism for assigning and regulating access of respective users to the various system resources.
In order to define or determine roles of the above type for an organization, a previously used approach has been to obtain various types of information about the organization. Such information could include, by way of example, organizational structure, processes used, security policies, and user skills and attributes. Typically, this information has been obtained from users and other human sources by means of interviews, questionnaires and the like. Accordingly, this approach or method for determining roles has been referred to as a “top down” approach. However, because it is human intensive, this approach tends to be very costly and time consuming.
As an alternative to the top down approach, use has been made of the Access Control List (ACL) of the computer or data processing system of an organization, wherein the ACL is a table listing each of the system users and their respective permissions. This alternative, referred to as a “bottom up” approach, assumes that certain patterns exist in the particular permissions which are assigned to different users. Accordingly, reasonable user-permission roles within an organization may be determined or discovered by processing user-permission data furnished by the corresponding ACL of the organization. However, in order to use this approach efficiently, particularly in connection with a large organization, role mining must be applied to the ACL data. At present, there is a significant lack of semantics in the mined roles. More particularly, the mined roles need not correspond to functions of the organization, and therefore are not practically useful. This is largely because previous efforts have assumed that a role configuration with a minimal number of roles (or user-role assignments/role-permission assignments) is semantically meaningful. However, this assumption is questionable. Accordingly, an alternative technique for role mining is required which can output a set of practically relevant roles, which are meaningful for businesses and other organizations.